From 503b3b33feca818baa4459aba286e54a528e5567 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 29 Aug 2014 09:27:52 +0200 Subject: [PATCH 1/2] qxl-render: add more sanity checks Damn, the dirty rectangle values are signed integers. So the checks added by commit 788fbf042fc6d5aaeab56757e6dad622ac5f0c21 are not good enough, we also have to make sure they are not negative. [ Note: There must be something broken in spice-server so we get negative values in the first place. Bug opened: https://bugzilla.redhat.com/show_bug.cgi?id=1135372 ] Cc: qemu-stable@nongnu.org Signed-off-by: Gerd Hoffmann Reviewed-by: Dr. David Alan Gilbert --- hw/display/qxl-render.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c index cc2c2b1dbc..bcc5c3701a 100644 --- a/hw/display/qxl-render.c +++ b/hw/display/qxl-render.c @@ -138,7 +138,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl) if (qemu_spice_rect_is_empty(qxl->dirty+i)) { break; } - if (qxl->dirty[i].left > qxl->dirty[i].right || + if (qxl->dirty[i].left < 0 || + qxl->dirty[i].top < 0 || + qxl->dirty[i].left > qxl->dirty[i].right || qxl->dirty[i].top > qxl->dirty[i].bottom || qxl->dirty[i].right > qxl->guest_primary.surface.width || qxl->dirty[i].bottom > qxl->guest_primary.surface.height) { From cd56cc6b079f44fbcca3d8a773ae87f7479c6585 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 29 Aug 2014 10:13:28 +0200 Subject: [PATCH 2/2] spice: use console index as display id ... instead of maintaining our own numbering. Signed-off-by: Gerd Hoffmann --- ui/spice-core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ui/spice-core.c b/ui/spice-core.c index 1a2fb4b237..17a2ed3782 100644 --- a/ui/spice-core.c +++ b/ui/spice-core.c @@ -853,7 +853,6 @@ int qemu_spice_add_interface(SpiceBaseInstance *sin) } static GSList *spice_consoles; -static int display_id; bool qemu_spice_have_display_interface(QemuConsole *con) { @@ -868,7 +867,7 @@ int qemu_spice_add_display_interface(QXLInstance *qxlin, QemuConsole *con) if (g_slist_find(spice_consoles, con)) { return -1; } - qxlin->id = display_id++; + qxlin->id = qemu_console_get_index(con); spice_consoles = g_slist_append(spice_consoles, con); return qemu_spice_add_interface(&qxlin->base); }